NetWitness allows you to tag an application rule with MITRE ATT&CK Tactics and Techniques. MITRE framework provides insight into tactics, techniques, or sub-techniques used by advanced attackers or advanced persistent threats (APTs). NetWitness uses the MITRE ATT&CK framework to detect and analyze different types of threats.
When you tag an application rule with MITRE ATT&CK Tactics and Techniques, analysts can look into the various techniques and tactics associated with the Incidents, alerts, and events.
You do not have to search the MITRE pages to understand techniques or tactics and learn about their implications. You can view all the MITRE details in the ATT&CK Explorer. The additional details about MITRE ATT&CK Tactics and Techniques help you to understand how an attack or event is detected in their NetWitness system and then make informed decisions.
NetWitness Platform enables analysts to conduct further analysis with levels of granularity in techniques.
The MITRE ATT&CK framework is a curated knowledge base and model for cyber adversary behavior. It reflects the various phases of an adversary's attack lifecycle and the platforms they are known to target.
For more information on the MITRE ATT&CK framework, go to https://attack.mitre.org/resources/faq/
For more information, see “Use MITRE ATT&CK Framework” chapter in the NetWitness Respond User Guide for 12.4 .
View MITRE ATT&CK Tactics and Techniques in Application and ESA rules
NetWitness allows you to tag application rules and ESA rules with MITRE ATT&CK Tactics and Techniques. When you tag MITRE ATT&CK Tactics and Techniques, you can view the details of the tactics and techniques used by advanced attackers or advanced persistent threats (APTs). You do not have to search the MITRE pages to understand techniques or tactics and learn about their implications. You can view all the MITRE details in the ATT&CK explorer. The additional details about MITRE ATT&CK Tactics and Techniques help you to understand how an attack or event is detected in their NetWitness system and then make informed decisions.
Both MITRE ATT&CK® and ATT&CK® are registered trademarks of the MITRE Corporation. © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
To view MITRE ATT&CK Tactics and Techniques in application and ESA rules
-
Go to (CONFIGURE) > Policies.
-
In the Policies panel, click Content tab.
-
Click APPLICATION RULE. The Application Rules are listed.
-
Click a rule that you want to view the MITRE ATT&CK Tactics and Techniques. The rule panel appears on the left side.
-
In the left panel, scroll down and view the MITRE ATT&CK TACTICS and TECHNIQUES categories.
-
Click a MITRE ATT&CK TACTICS or TECHNIQUES. The ATT&CK Explorer panel appears with details on tactics and techniques.
You can view the following details:
MITRE ATT&CK Tactics |
Displays the type of tactics associated with the Incident. For example, Credential Access. The tactic Credential Access tries to steal account names and passwords. For more information, see https://attack.mitre.org/tactics/enterprise/. |
ATT&CK ID |
Displays the ATT&CK ID associated with the Tactics. You can click the ATT&CK ID and go to the MITRE page and view the details. Analysts can benefit by visiting the MITRE page directly to get additional details about the Tactics. For example: TA0006. The Tactics ID TA0006 is associated with the Tactic Credential Access. |
TYPE |
Displays the Technique associated with the Tactics. |
TACTIC |
Displays the Tactics that you tagged. You can tag multiple Tactics with a rule. |
DESCRIPTION |
Displays the detailed information about the Tactic associated with the particular incident. |
Techniques |
Displays the ID, Name, and the Description of the various Techniques and Sub – Techniques associated with the Tactics.
Techniques are how the adversary tries to achieve a tactical goal by performing an action. Sub – Techniques describe the adversarial behavior at a lower level than a technique.
For more information, see
|
Mitigations |
Displays the ID, Name, and Description of the Mitigations used to prevent a technique or sub-technique from successfully executing. For example, The Mitigation name Account Use Policies associated with the ID M1036 helps configure features related to account use, like login attempt lockouts and specific login times. For more information, see https://attack.mitre.org/mitigations/enterprise/. |
Procedure Examples |
Displays the ID, Name, and Description of the procedures that the adversary uses for techniques or sub-techniques. For example, Lazarus Group with the ID G0032 is a North Korean state-sponsored cyber threat group that was responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. For more information, see https://attack.mitre.org/resources/faq/#faq-0-2-header and https://attack.mitre.org/groups/G0032/. |
For more information, see “Use MITRE ATT&CK Framework” chapter in the NetWitness Respond User Guide for 12.4 .
Previous Page Next Page